The 72-Minute Gap: What the Breaches, the Vendors, and the Messaging Are Actually Telling Us | Lens Four by Sean Martin | Read by TAPE9

The 72-minute gap, what the breaches, the vendors, and the messaging are actually telling

us.

I look at the intersection of business, technology, and messaging regularly through

three lenses, how organizations are running their operations and security programs, how

vendors and innovations are reshaping the market, and how language influences the decisions

that executives and practitioners actually make.

How fast are AI-driven cyberattacks and can security programs keep up?

The short answer, attackers are operating in minutes and most defenders are not.

AI-driven cyberattacks now move from initial access to data exfiltration in as little

as 72 minutes, a four times acceleration over the prior year, according to the Unit 42-20-26

Global Incident Response Report.

Meanwhile, only 6% of organizations have fully deployed agentic AI in their security operations,

even though 92% say AI helps their teams review more events.

Information events and responding at machine speed are fundamentally different capabilities.

That gap is where breaches live.

February 2026 proved it, Japan Airlines disclosed unauthorized access to customer data spanning

back to July 2024.

Win resorts lost government-issued IDs to ransomware.

The Amarit, a company trusted to verify identities, leaked 1 billion records.

The University of Mississippi Medical Center had to close clinics and cancel procedures.

Substack, flicker, crunch base, and Malaysia Airlines all reported incidents in the same

month.

The thread connecting these was not sophisticated tradecraft.

It was credential reuse, ungoverned third-party access, and peripheral systems nobody was

monitoring, gaps in visibility, not gaps in technology.

Unit 42's data makes it stark.

65% of initial access is now identity driven, with social engineering, stolen credentials,

and IAM misconfigurations as the primary entry points.

Identity weaknesses played a role in nearly 90% of all incidents investigated, and the institutional

backstop is weakening.

SESA has lost nearly 30% of its workforce since early 2025, dropping from about 3400 to

2400 staff.

The Surseya Final Rule is delayed until May 2026.

The Cybersecurity Information Sharing Act has expired.

For every CISO trying to build a program that connects detection to response to business

continuity, the question to the board is

direct.

If the federal infrastructure we relied on is diminished, what is our plan?

But here is what makes this moment different from the last decade of we are losing the

arms race headlines.

Some organizations are closing the gap and closing it fast.

In a recent conversation on the redefining cybersecurity podcast, industry analyst Richard

Steyannon, former Gartner VP, and founder of IT Harvest, described a CISO at a large

enterprise who has already eliminated the entire SOC team, not downsized, eliminated,

replaced by AI-driven SOC automation that triages 100% of alerts, builds cases, investigates

threats, and executes containment, 24-7 at machine speed for a fraction of the cost of

a human-staffed operation.

That is not a vendor pitch.

It is an operational reality that changes the math for every security program still staffing

a traditional SOC.

If one organization can do it, the question for every other CISO becomes, what is the cost

of not doing it?

Steyannon framed it bluntly.

If a 90-day proof-of-concept costs $15,000 and your SOC budget over that same period

is $1,000,000, every quarter you delay is a quarter of budget you do not get back.

The workforce gap is 4.8 million globally.

The breach tempo is accelerating.

The programs that close the 72-minute gap will not do it by hiring faster.

They will do it by rethinking what humans are for and what machines should own.

Which vendor moves are actually changing the market?

Form consolidation is accelerating, but the most disruptive shift may not be coming from

the platform vendors at all.

Every major cybersecurity vendor is telling the same story.

Consolidate with us, reduce complexity, get unified visibility.

The question, CISOs, should be asking is whether the platform solves the operational problem

they have today or sells them a vision while their program struggles with basics.

Colorado Networks posted $2.6 billion in Q2 revenue, but missed Q3 earnings guidance,

with shares dropping 7% on integration costs from its $25 billion cyber arc acquisition.

Crowdstrike told a different story, net new ARR, up 73% year over year, extending Falcon

through a single agent architecture with targeted acquisitions of Seraphic Security and SGNL

that avoid heavy integration overhead.

The M and A signal is impossible to ignore.

Google closed its $32 billion whiz acquisition with EU approval.

SIR raised $400 million at a $9 billion valuation.

Vectra acquired netography to unify observability and detection.

The consolidation is real.

But underneath the platform wars, a different market is forming.

IT Harvest now tracks 375 AI security vendors, almost all founded since 2022.

Of those, 58 are focused specifically on SOC automation, not SIEM vendors adding features,

but purpose-built startups replacing the SOC staffing model entirely.

Collectively, they have received over $1.3 billion in funding.

Many of these companies launched in early 2025 and reached $1 million in ARR within months.

By year end, several had hit $3 million in ARR for a product category that barely existed

18 months earlier.

Steinen's assessment is direct.

By this time next year, tracking AI security as a standalone category will no longer make

sense because every vendor will be an AI security vendor.

That is a market structure claim, not a feature claim.

And it has implications beyond the SOC.

Agentec AI, autonomous systems that make decisions without continuous human oversight,

landed at the top of Gartner's 2026 cybersecurity trends.

Forrester predicts it will cause a public breach this year.

That prediction already has a proof point.

A vulnerability dubbed claw jacked in OpenClaw showed that a malicious website could hijack

a locally running AI agent through its core gateway.

No plugins or user error required.

Traditional identity and access management was never designed for machine actors that spin

up dynamically, retain persistent credentials, and operate outside human governance life cycles.

Gartner data shows 57% of employees use personal gene AI for work, with 33% uploading sensitive

data to unsanctioned tools.

Enterprise management associates calls this the triple threat, agentec risk, identity governance

deficits, and a visibility gap most organizations have not begun to address.

The trust question is not abstract.

As I explored with CNN on the podcast, if SOC automation tools are consuming your logs,

your alerts, and your environment data, how much of that is flowing through public models?

His answer is that most serious vendors are running models locally or using privacy

preserving approaches like federated learning with fully homomorphic encryption, keeping

data encrypted even during processing.

The privacy infrastructure is maturing alongside the automation capability, but the question

every CISO should be asking their vendors right now is, where does my data go and who else

can see it?

How is the industry's own language getting in the way?

When buzzwords replace operational specificity, organizations lose the ability to measure

what matters.

Resilience is the dominant frame across every major analyst report and vendor keynote

report right now.

The World Economic Forum's 2026 Global Cybersecurity Outlook is built around it.

Gartner's trends emphasize it, forester's predictions assume it, the shift from prevent

everything to prepare for the inevitable is healthy, but resilience without definition

becomes a permission structure for mediocrity.

Resilience to what?

Over what time frame?

If recovery takes three days and the attacker moved in 72 minutes, that is not resilience,

it is damage control.

Ask the patients in Mississippi whose procedures were canceled.

The bigger messaging problem may be the gap between what the technology can now do and

how the industry talks about it.

Stianne posted his SOC automation research on LinkedIn and described the response.

Half the comments defaulted to, but you need human in the loop.

And what about controls?

The conservative security reflexes that have defined the profession for decades.

That instinct is understandable.

It is also increasingly expensive.

AI model intelligence is growing by roughly 10 times per year.

The industry's language and its planning assumptions are still linear.

And the conversation is about whether to trust an autonomous system.

And the system is doubling in capability every few months.

The risk, calculus, changes faster than most governance frameworks can accommodate.

The board's CSO communication gap reinforces this.

The IANS and Artico 2026 benchmark report found that 95% of CSOs deliver regular board

updates, but only 30% of boards describe the relationship as strong and collaborative.

Nearly half of directors say CSO reporting on evolving threats needs improvement.

The world economic forum data reveals a parallel disconnect.

CEOs rank fraud and fishing as their top concern while CSOs rank ransomware.

In the board and the security leader are telling different stories about primary risk.

The budget gets pulled in multiple directions without a clear operational anchor.

Meanwhile, the macro spending numbers keep climbing.

$244 billion globally in 2026.

Up 13.3%.

With managed services growing fastest at 11.1%, because organizations cannot hire fast enough

to run their own SOCs.

Cyber insurers are demanding evidence of specific controls before issuing policies,

becoming an unofficial compliance mechanism.

And in an industry spending a quarter of a trillion dollars this year,

the hardest question is not whether we have enough technology.

It is whether we are honest about the gap between the story we tell and the outcomes we deliver.

The language matters because it shapes what gets funded and what gets measured.

When a vendor says platform, a buyer should hear, consolidate everything with me.

When an analyst says resilience, a CISO should ask resilient enough to do what in the first 72 minutes.

When a security leader says we need human in the loop, press for which decisions at what speed and at what cost.

And when a policymaker says back on mission, press with what resources 72 minutes.

That is the story your program needs to tell.

Can it?

If this analysis is useful, whether you are a CISO evaluating your program,

a vendor shaping go-to-market strategy, a product marketer cutting through noise,

or an analyst mapping the landscape, I would welcome the conversation.

This is what I do.

Connect the dots between business operations, the technology that serves them,

and the market forces that shape both.

Reach out at SeanMartin.com and subscribe to Lens4,

where business, innovation, and messaging come into focus.